At least some of our database-tables were read. As said, we were using 1.5. but without anonymous view rights (which I know had some issues fixed in 1.6.) With Piwik 1.6, this exact injection is no longer possible, but was it really fixed or did the syntax simply change?